Ouranosinc / Magpie

AuthN/AuthZ services
https://pavics-magpie.readthedocs.io
Apache License 2.0
1 stars 5 forks source link

[Feature] How to specify whitelist of allowed character in username #497

Closed tlvu closed 1 year ago

tlvu commented 2 years ago

Is your feature request related to a problem? Please describe. With PAVICS, Magpie is used as the authentication source for the JupyterHub. Username created in Magpie containing a dash (-) or an underscore (_) do not work with JupyterHub.

Username test_underscore becomes test-5funderscore and then the matching container name that has the badly escaped username is not found.

To the end user, they are unable to spawn their personal Jupyter server.

test-dash becomes test-2ddash !

This code in the DockerSpawner seems to be responsible for the too severe escaped username https://github.com/jupyterhub/dockerspawner/blob/87938e64fd3ca9a3e6170144fa6395502e3dba34/dockerspawner/dockerspawner.py#L863-L867

There is a way to use the unaltered "raw_username" direct from Magpie but then we should ensure only whitelist allowed characters is allowed at user creation in Magpie.

Describe the solution you'd like In order to prevent badly created username from the start and avoid going back and forth with the end user, is there a way to specify a list of allowed characters in username in user creation page on Magpie?

Describe alternatives you've considered We put a note to ourself to avoid dash and underscore chars but we are more than one person creating accounts so errors can still happen. And if ever we allow account self-creating, this will become a big problem for us.

Additional context JupyterHub logs showing the test_underscore and test-5funderscore mismatch:

[I 2022-01-18 23:42:42.085 JupyterHub log:189] 302 POST /jupyter/hub/spawn -> /jupyter/hub/spawn-pending/test_underscore (test_underscore@198.48.212.$
50) 17911.56ms
[W 2022-01-18 23:42:42.085 JupyterHub base:1008] User test_underscore is slow to start (timeout=10)
[I 2022-01-18 23:42:42.252 JupyterHub pages:402] test_underscore is pending spawn
[I 2022-01-18 23:42:42.400 JupyterHub log:189] 200 GET /jupyter/hub/spawn-pending/test_underscore (test_underscore@198.48.212.150) 217.39ms
[I 2022-01-18 23:42:44.593 JupyterHub log:189] 302 GET /jupyter/hub/spawn -> /jupyter/hub/login?next=%2Fjupyter%2Fhub%2Fspawn (@198.48.212.150) 7.70ms
[I 2022-01-18 23:42:44.777 JupyterHub log:189] 200 GET /jupyter/hub/login?next=%2Fjupyter%2Fhub%2Fspawn (@198.48.212.150) 121.17ms
[D 2022-01-18 23:42:44.888 JupyterHub log:189] 200 GET /jupyter/hub/static/css/style.min.css?v=bff49b4a161afb17ee3b71927ce7d6c4e5b0e4b9ef6f18ca3e356a0
5f29e69776d3a76aee167060dd2ae2ee62d3cfdcf203b4b0090b1423f7d629ea7daa3f9da (@198.48.212.150) 8.50ms
[D 2022-01-18 23:42:44.963 JupyterHub log:189] 200 GET /jupyter/hub/static/components/requirejs/require.js?v=bd1aa102bdb0b27fbf712b32cfcd29b016c272acf
3d864ee8469376eaddd032cadcf827ff17c05a8c8e20061418fe58cf79947049f5c0dff3b4f73fcc8cad8ec (@198.48.212.150) 1.31ms
[D 2022-01-18 23:42:44.968 JupyterHub log:189] 200 GET /jupyter/hub/static/components/jquery/dist/jquery.min.js?v=f3de1813a4160f9239f4781938645e1589b8
76759cd50b7936dbd849a35c38ffaed53f6a61dbdd8a1cf43cf4a28aa9fffbfddeec9a3811a1bb4ee6df58652b31 (@198.48.212.150) 1.24ms
[D 2022-01-18 23:42:45.017 JupyterHub log:189] 200 GET /jupyter/hub/static/components/bootstrap/dist/js/bootstrap.min.js?v=a014e9acc78d10a0a7a9fbaa29d
eac6ef17398542d9574b77b40bf446155d210fa43384757e3837da41b025998ebfab4b9b6f094033f9c226392b800df068bce (@198.48.212.150) 1.36ms
[D 2022-01-18 23:42:45.100 JupyterHub dockerspawner:935] Getting container 'jupyter-test-5funderscore'
[I 2022-01-18 23:42:45.106 JupyterHub dockerspawner:941] Container 'jupyter-test-5funderscore' is gone
[D 2022-01-18 23:42:45.233 JupyterHub log:189] 200 GET /jupyter/hub/logo (@198.48.212.150) 1.32ms
[D 2022-01-18 23:42:51.002 JupyterHub dockerspawner:1038] Starting host with config: {'auto_remove': True, 'binds': {'/data/jupyterhub_user_data/test-
5funderscore': {'bind': '/notebook_dir/writable-workspace', 'mode': 'rw'}, '/data/jupyterhub_user_data/jupyter-readme/README.ipynb': {'bind': '/notebo
ok_dir/README.ipynb', 'mode': 'ro'}, '/data/jupyterhub_user_data/pavics-homepage': {'bind': '/notebook_dir/pavics-homepage', 'mode': 'ro'}, '/data/jup
yterhub_user_data/public-share': {'bind': '/notebook_dir/public', 'mode': 'ro'}, '/data/jupyterhub_user_data/public-share/test-5funderscore-public': {
'bind': '/notebook_dir/mypublic', 'mode': 'rw'}, '/data/jupyterhub_user_data/tutorial-notebooks': {'bind': '/notebook_dir/tutorial-notebooks', 'mode':
 'ro'}}, 'links': {}, 'mounts': [], 'network_mode': 'jupyterhub_network'}
[E 2022-01-18 23:43:51.061 JupyterHub user:689] Unhandled error starting test_underscore's server: UnixHTTPConnectionPool(host='localhost', port=None)
: Read timed out. (read timeout=60)
[D 2022-01-18 23:43:51.061 JupyterHub user:790] Stopping test_underscore
[D 2022-01-18 23:43:51.061 JupyterHub dockerspawner:935] Getting container 'jupyter-test-5funderscore'
[I 2022-01-18 23:43:51.065 JupyterHub dockerspawner:941] Container 'jupyter-test-5funderscore' is gone
[W 2022-01-18 23:43:51.065 JupyterHub dockerspawner:916] Container not found: jupyter-test-5funderscore
fmigneault commented 2 years ago

Technically, Magpie also allows emails as "username", so there would be many more characters that can pose problem. The image name should instead consider using the user-id of that user. Security wise, that would also be a better practice to anonymize the container.

tlvu commented 2 years ago

Just to be clear, the "whitelist of allowed character in username" should be configurable via config file (ex: magpie.ini) so each org can decide for themselves if an email can be in the username field or not, for example.

In general, when a policy is decided (ex: what allowed characters for username, minimum password length, ...) it should have possible override so each org can decide for themselves.

That said, we are not blocked so this is just a nice to have feature request.

tlvu commented 1 year ago

Dupe with https://github.com/bird-house/birdhouse-deploy/issues/393